(The webroot is the root directory of the Web server, as distinguished from the root directory of a particular hard drive, such as C:\.) The echo command simply writes any arguments passed to it; the output can be redirected to a file instead of the user’s screen. For example, typing “echo owned > mitnick.txt” will write the word “owned” in the file mitnick.txt. They used a series of echo commands to write out the source code of an ASP script to an executable directory on the Web server. They then uploaded other hacking tools, including the popular net- working tool netcat, which is a very useful utility for setting up a com- mand shell to listen on an incoming port. They also uploaded an exploit tool called HK that exploited a vulnerability in older version of Windows NT to obtain system administrator privileges. They uploaded another simple script to run the HK exploit and then used netcat to open a shell connection back to themselves, enabling them to enter commands to the target machine, much like getting a “DOS prompt” in the days of the DOS operating system. “We tried to initiate an outgoing connection from the internal web server to our computer on the DMZ,” Louis explained. “But that didn’t work, so we had to use a technique called ‘port barging.’” After executing the HK program to gain privileges, they configured netcat to listen on port 80; to “barge” the IIS server out of the way temporarily, watching for the first incoming connection to port 80. Louis explained barging by saying, “You essentially temporarily push IIS out of the way, to steal a shell, and allow IIS to sneak back in at the same time you maintain access to your shell.” In the Windows environ- ment, unlike Unix-type operating systems, it’s permissible to have two programs use the same port simultaneously. An attacker can take advan- tage of this feature by finding a port that’s not filtered by the firewall and then “barging” onto the port. That’s what Louis and Brock did. The shell access they already had on the IIS host was limited to the rights permitted to the account that the Web server was running under. So they ran HK and netcat, and were able to gain full system privileges — running as the system user, which is the highest privilege on the operating system. Using standard methodolo- gies, this access would allow them to get full control of the target’s Windows environment. The server was running Windows NT 4.0. The attackers wanted to get a copy of the Security Accounts Manager (SAM) file, which contained the details of user accounts, groups, policies, and access controls. Under this older version of the operating system, they ran the “rdisk /s” com- mand to make an emergency repair disk. This program initially creates Chapter 9 On the Continent 213 13_569597 ch09.qxd 1/11/05 9:26 PM Page 213 several files in a directory named “repair.” Among the files was an updated version of the SAM file that contained the password hashes for all the accounts on the server. Earlier Louis and Brock recovered the PWL file containing sensitive passwords from a security guard’s laptop; now they were extracting the encrypted passwords of users on one of the servers of the company itself. They simply copied this SAM file into the webroot of the Web server. “Then, using a web browser, we retrieved it from the server to our machine back in our office.” When they had cracked the passwords from the SAM file, what they noticed was that there was another administrator account on the local machine that was different than the built-in administrator account. After I believe it was a couple of hours of cracking, we were able to crack the password for this account and then attempt to authenticate it to the primary domain controller. And we discovered that the local account that had administrator rights on the web server we hacked also had the same password on the domain! The account also had domain administrator rights. So there was a local administrator account on the web server that had the same name as a domain administrator account for the entire domain, and the password for both of those accounts was also the same. It was obviously an administrator being lazy and setting up a second account with the same name as the adminis- trator account on the local system, and giving it the same password. Step-by-step. The local account was simply an administrator on the Web server and didn’t have privileges to the entire domain. But by recovering the password on that local Web server account, thanks to a careless, lazy administrator, they were now able to compromise the domain adminis- trator account. The responsibility of a domain administrator is to admin- ister or manage an entire domain, as distinguished from being an administrator on your local desktop or laptop (single machine). In Louis’s view, this administrator wasn’t an exception. This is a common practice we see all the time. A domain admin- istrator will create local accounts on their machine on the net- work, and use the same password for their accounts with domain administrator privileges. And that means the security at each one of those local systems can be used to compromise the security of the entire domain. The Art of Intrusion 214 13_569597 ch09.qxd 1/11/05 9:26 PM Page 214 Goal Achieved Getting closer. Louis and Brock saw that they could now gain full control over the application server and the data contained on it. They obtained the IP address used to connect to the application server from the security guard’s laptop. From this, they realized the application server was on the same network, which is likely part of the same domain. At last, they had full control over the entire company’s operations. Now we had reached right to the heart of the business. We could change orders on that application server, so we could get the guards to deliver money to where we said. We could essentially issue orders to the guards like, “Pick up money from this business and drop off at this address,” and you’re waiting there to get it when they arrive. Or “Pick up this prisoner A, take him to this location, deliver him to the custody of this person,” and you’ve just gotten your cousin’s best friend out of jail. Or a terrorist. They had in their hands a tool for getting rich, or creating havoc. “It was kind of shocking because they didn’t see the possibility of what could have happened had we not brought this to their attention,” Louis says. What that company considers “security,” he believes, “is actually suspect security.” INSIGHT Louis and Brock did not enrich themselves from the power they held in their hands, and they didn’t issue orders to have any prisoners released or transferred. Instead, they provided the company a full report of what they had discovered. From the sound of it, the company had been seriously remiss. They hadn’t gone through a risk analysis step-by-step — “If the first machine gets compromised, what could a hacker do from that point?” and so on. They considered themselves secure because with a few configuration changes, they could close the gap Louis had pointed out. Their assump- tion was that there weren’t other faults except this one that Louis and Brock had managed to find and use. Louis sees this as a common arrogance within the business sector — an outsider can’t come along and preach security to them. Company IT Chapter 9 On the Continent 215 13_569597 ch09.qxd 1/11/05 9:26 PM Page 215 people don’t mind being told about a few things that need to be fixed, but they won’t accept anyone telling them what they need to do. They think they know it already. When a breach occurs, they figure they just dropped the ball on this one occasion. COUNTERMEASURES As in so many of the stories in this book, the attackers here did not find many security flaws in their target company, yet the few they found were enough to allow them to own the company’s entire domain of computer systems that were essential to business operations. Following are some lessons worth noting. Temporary Workarounds At some time in the past, the 3COM device had been plugged directly into the serial port of the Cisco router. While the pressure of answering immediate needs may justify temporary technology shortcuts, no com- pany can afford to let “temporary” become “forever.” A schedule should be set up for checking the configuration of the gateway devices through physical and logical inspection, or by using a security tool that continu- ally monitors whether any open ports existing on a host or device is in accordance with company security policy. Using High Ports The security company had configured a Cisco router to allow remote connections over a high port, presumably in the belief that a high port would be obscure enough never to be stumbled upon by an attacker — another version of the “security through obscurity” approach. We’ve already addressed the issue more than once in these pages about the folly of any security decision based on this attitude. The stories in this book demonstrate again and again that if you leave a single gap, some attacker will sooner or later find it. The best security practice is to ensure that the access points of all systems and devices, obscure or not, be fil- tered from any untrusted network. Passwords Once again, all default passwords for any device should be changed prior to the system or device going into production. Even the technical The Art of Intrusion 216 13_569597 ch09.qxd 1/11/05 9:26 PM Page 216 white-belts know this common oversight and how to exploit it. (Several sites on the Web, such as www.phenoelit.de/dpl/dpl.html, provide a list of default usernames and passwords.) Securing Personnel Laptops The systems being used by the company’s remote workers were connect- ing to the corporate network with little or no security, a situation that is all too common. One client even had PC Anywhere configured to allow remote connections without even requiring a password. Even though the computer was connecting to the Internet via dial-up, and only for very limited periods of time, each connection created a window of exposure. The attackers were able to remotely control the machine by connecting to the laptop running PC Anywhere. And because it had been set up without requiring a password, attackers were able to hijack the user’s desktop just by knowing the IP address. IT policy drafters should consider a requirement that client systems maintain a certain level of security before being allowed to connect to the corporate network. Products are available that install agents onto the client systems to ensure security controls are commensurate with com- pany policy; otherwise, the client system is denied access to corporate computing resources. The bad guys are going to analyze their targets by examining the whole picture. This means trying to identify whether any users connect remotely, and if so, the origin of those connections. The attacker knows if he or she can compromise a trusted computer that is used to connect to the corporate network, it’s highly likely that this trust relationship can be abused to gain access to corporate information resources. Even when security is being well handled within a company, there is too often a tendency to overlook the laptops and home computers used by employees for accessing the corporate network, leaving an opening that attackers can take advantage of, as what happened in this story. Laptops and home computers that connect to the internal network must be secure; otherwise, the employee’s computer system may be the weak link that’s exploited. Authentication The attackers in this case were able to extract the authentication informa- tion from the client’s system without being detected. As has been pointed out repeatedly in earlier chapters, a stronger form of authentication will Chapter 9 On the Continent 217 13_569597 ch09.qxd 1/11/05 9:26 PM Page 217 stop most attackers dead in their tracks, and companies should consider using dynamic passwords, smart cards, tokens, or digital certificates as a means of authentication for remote access into VPNs or other sensitive systems. Filtering Unnecessary Services IT staff should consider creating a set of filtering rules to control both incoming and outgoing connections to specific hosts and services from untrusted networks such as the Internet, as well as from semi-trusted (DMZ) networks within the company. Hardening The story also provides a reminder of an IT staff that did not bother to harden the computer systems connected to the internal network, or keep up-to-date with security patches, presumably because of the perception that the risk of being compromised was low. This common practice gives the bad guys an advantage. Once the attacker finds a way to access a sin- gle internal unsecured system and is able to successfully compromise it, the door is open for expanding illicit access to other systems that are trusted by the compromised computer. Again, simply relying on the perimeter firewall to keep the hackers at bay without bothering to harden the systems connected to the corporate network is like piling all your wealth in $100 bills on the dining room table and figuring you’re safe because you keep the front door locked. THE BOTTOM LINE Since this is the last chapter on stories that illustrate technical-based attacks, it seems like a good place for a few words of recap. If you were asked to name important steps to defend against the most common vulnerabilities that allow attackers to gain entry, based on the stories in this book, what would some of your choices be? Please think about your answer briefly before reading on; then go to the next page. The Art of Intrusion 218 13_569597 ch09.qxd 1/11/05 9:26 PM Page 218 Whatever items you came up with as some of the most common vul- nerabilities described in this book, I hope you remembered to include at least some of these: ● Develop a process for patch management to ensure that all the necessary security fixes are applied in a timely manner. ● For remote access to sensitive information or computing resources, use stronger authentication methods than are pro- vided by static passwords. ● Change all default passwords. ● Use a defense-in-depth model so that a single point of failure does not jeopardize security, and routinely test this model on a regular basis. ● Establish a corporate security policy concerning the filtering of both incoming and outgoing traffic. ● Harden all client-based systems that access sensitive informa- tion or computing resources. Let’s not forget that the persist- ent attacker also targets client systems to either hijack a legitimate connection or to exploit a trusted relationship between the client system and the corporate network. ● Use intrusion-detection devices to identify suspicious traffic or attempts to exploit known vulnerabilities. Such systems may, as well, identify a malicious insider or an attacker who has already compromised the secure perimeter. ● Enable auditing features of the operating system and critical applications. Also, ensure that the logs are preserved on a secure host that has no other services and the minimal num- ber of user accounts. Chapter 9 On the Continent 219 13_569597 ch09.qxd 1/11/05 9:26 PM Page 219 13_569597 ch09.qxd 1/11/05 9:26 PM Page 220 221 Chapter 10 Social Engineers — How They Work and How to Stop Them The social engineer employs the same persuasive techniques the rest of us use every day. We take on roles. We try to build credibility. We call in recip- rocal obligations. But the social engineer applies these techniques in a manipulative, deceptive, highly unethical manner, often to devastating effect. — Social Psychologist Dr. Brad Sagarin T his chapter does something a bit different: We look at the most difficult type of attack to detect and defend against. The social engineer, or the attacker skilled in the art of deception as one of the weapons in his or her toolkit, preys on the best qualities of human nature: our natural tendencies to be helpful, polite, supportive, a team player, and the desire to get the job done. As with most things in life that threaten us, the first step toward a sen- sible defense is understanding the methodologies used by cyber-adver- saries. So, we present here a set of psychological insights that probe the underpinnings of human behavior allowing the social engineer to be so influencing. First, though, an eye-opening story of a social engineer at work. The fol- lowing is based on a story we received in writing that is both amusing and a textbook case of social engineering. We thought it so good that we have included it despite some reservations; the man either had accidentally 14_569597 ch10.qxd 1/11/05 9:25 PM Page 221 omitted some of the details because he was distracted on other business matters or else he made up portions of the story. Still, even if some of this is fiction, it makes the case very convincingly of the need for better pro- tection against social engineering attacks. As elsewhere throughout the book, details have been changed to pro- tect both the attacker and the client company. A SOCIAL ENGINEER AT WORK In the summer of 2002, a security consultant whose handle is “Whurley” was hired by a resort group in Las Vegas to perform a variety of security audits. They were in the process of reengineering their approach to secu- rity and hired him to “try to circumvent any and all processes” in an effort to help them build a better security infrastructure. He had plenty of technical experience, but little experience being in a casino. After a week or so of immersing himself in research on the culture of the Strip, it was time for the real Las Vegas. He usually made it a practice to start a job like this early, getting finished before it was officially sched- uled to begin, because over the years he had found that managers don’t tell employees about a potential audit until the week they think it’s going to happen. “Even though they shouldn’t give anyone a heads up, they do.” But he easily circumvented this by performing the audit in the two weeks before the scheduled date. Though it was nine at night by the time he arrived and settled into his hotel room, Whurley went straight to the first casino on his list to start his on-site research. Having not spent a lot of time in casinos, this experience was quite an eye-opener for him. The first thing he noticed contradicted what he had seen on the Travel channel, where every casino staffer shown or interviewed appeared to be an elite security specialist. The majority of the employees he watched on-site seemed to be “either dead asleep on their feet or completely complacent in their job.” Both of these conditions would make them easy targets for the simplest of confidence games — which wasn’t even going to come close to what he had planned. He approached one very relaxed employee and with a very little prod- ding found the person willing to discuss the details of his job. Ironically, he had previously been employed by Whurley’s client-casino. “So, I bet that was a lot better, huh?” Whurley asked. The employee replied, “Not really. Here I get floor-audited all the time. Over there they hardly noticed if I was a little behind, pretty much The Art of Intrusion 222 14_569597 ch10.qxd 1/11/05 9:25 PM Page 222 [...]... example, in the story, The Network Outage,” appearing in Chapter 5 of The Art of Deception, the attacker explains that the network connection might go down The attacker then does something that makes the victim lose his network connection, giving the attacker credibility in the eyes of the victim This prediction tactic is often combined with the third of these methods, in which the attacker further “proves”... creating the illusion of credibility and trustworthiness The name of the project manager on a sensitive company project, the physical location of a team of developers, the name of the server that a particular employee uses, and the project name assigned to a secret project are all significant, and each company needs to weigh the needs of the business against the possible threat to security These are... won’t be any longer than that.” When the victim becomes emotional, the attacker offers to help restore the files quicker; all that’s needed is the target’s username and password The target, relieved at a way to avoid the threatened loss, will usually comply gladly The Art of Intrusion 238 The other side of the coin involves using the scarcity principle to coerce the target into pursuing a promised... increase liking Chapter 10 Social Engineers — How They Work and How to Stop Them 237 Another tactic is the use of name-dropping of people that the target knows and likes In this, the attacker is trying to be seen as part of the “in group” within the organization Hackers also use flattery or compliments to stroke the ego of the victim, or target people within the organization who have recently been rewarded... junior executive Most of the people running around were wearing staffer clothes, so it was highly unlikely they would question me.” 226 The Art of Intrusion As he was walking down the hallway, he noticed that one of the camera rooms just looked just like the ones he had seen on the Travel Channel — an “Eye in the Sky” room, except that this one wasn’t overhead The outer room had the most VCRs I had... for the poor slob on the other end of the telephone?)” Attribution Attribution refers to the way people explain their own behavior and that of others A goal of the social engineer is to have the target attribute certain characteristics to him or her, such as expertise, trustworthiness, credibility, or likability Example: Dr Sagarin cites the story, The Promotion Seeker,” appearing in Chapter 10 of The. .. him to work through the problem with her And he offered to grab one of the badges if Larry would show him where they were “So Larry walked me over to a filing cabinet, opened a drawer, and just said ‘Take one of these.’ He then walked back to his desk and picked up the phone I noticed that there was no sign-out sheet or log of the badge numbers, so I took two of the several that were there.” He now had... keep them there One tactic is to call a target five minutes before the end of the workday, counting on the fact that anxiety about leaving the office on time may lead the target to comply with a request that might otherwise have been challenged Momentum of Compliance Social engineers create a momentum of compliance by making a series of requests, starting with innocuous ones Example: Dr Sagarin cites the. .. nudge the unsuspecting victim into the role of a helper Fear A social engineer will sometimes make his or her target believe that some terrible thing is about to happen, but that the impending disaster can be averted if the target does as the attacker suggests In this way, the attacker uses fear as a weapon Example: In the story, The Emergency Patch,” appearing in Chapter 12 of The Art of Deception, the. .. was time to get started He had packed a 224 The Art of Intrusion bag with “a few goodies including my laptop, an Orinoco broadband wireless gateway, an antenna, and a few other accessories.” The goal was simple Try to get into the office area of the casino, take some digital photos (with time stamps) of himself in places he shouldn’t be, and then install a wireless access point on the network so that . num- ber of user accounts. Chapter 9 On the Continent 2 19 13_5 695 97 ch 09. qxd 1/11/05 9: 26 PM Page 2 19 13_5 695 97 ch 09. qxd 1/11/05 9: 26 PM Page 220 221 Chapter 10 Social Engineers — How They Work. And that means the security at each one of those local systems can be used to compromise the security of the entire domain. The Art of Intrusion 214 13_5 695 97 ch 09. qxd 1/11/05 9: 26 PM Page 214 Goal. briefly before reading on; then go to the next page. The Art of Intrusion 218 13_5 695 97 ch 09. qxd 1/11/05 9: 26 PM Page 218 Whatever items you came up with as some of the most common vul- nerabilities